topic Re: O365 + HTTPS Inspection + Bypass in Access Control Productshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68432#M961
<P>We have such an SK:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112214" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112214</A></P>Mon, 25 Nov 2019 17:11:45 GMTPhoneBoy2019-11-25T17:11:45ZO365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/66863#M848
<P>Hi All,</P><P>&nbsp;</P><P>This issue has been discussed before in&nbsp;</P><P><A href="https://community.checkpoint.com/t5/Policy-Management/R80-20-HTTPS-Inspection-Bypass-for-Office365/m-p/33297#M2520" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Policy-Management/R80-20-HTTPS-Inspection-Bypass-for-Office365/m-p/33297#M2520</A></P><P>but I have a few questions about this issue</P><P>&nbsp;</P><P>I am running App control + HTTPS Inspection in R80.20.</P><P>&nbsp;</P><P>In the HTTPs Inspection policy, I bypassed Microsoft and Office365 services category as in the below rule but traffic to office365 is still inspected by https inspection&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/3008i72714BF28843CBB6/image-size/large?v=1.0&amp;px=999" title="image.png" alt="image.png" /></span></P><P>So in order to mitigate it, I had to create a custom category with all Office365 and MS domain</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/3009i4BEE789D9CABBF14/image-size/large?v=1.0&amp;px=999" title="image.png" alt="image.png" /></span></P><P>My questions are:</P><P>1. Is the fact that the "Microsoft &amp; Office365 services" category do not resolve Microsoft &amp; Office365 URL/domains is a bug in R80.20?</P><P>&nbsp;</P><P>2. is there a way to make it work in R80.20&nbsp; without adding all Microsoft Domains to the bypass rules (and without waiting for R80.40)? (<SPAN>sk104564 discuss adding manual domains but it refers to R70.20 only. if it is relevant to R80.20 as well, please update the SR)</SPAN></P><P>&nbsp;</P><P>3. It is discussed that activating "enhanced_ssl_inspection" can help this issue. What is this exactly and how it can be achieved?</P>Fri, 08 Nov 2019 10:31:46 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/66863#M848Shahar_Grober2019-11-08T10:31:46ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/66945#M855
Are you on JHF 117 or above? <BR />You need that for SNI support, which should make the simple “easy” rule work.Sat, 09 Nov 2019 08:03:04 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/66945#M855PhoneBoy2019-11-09T08:03:04ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67043#M867
H PB,<BR /><BR />I didn't upgrade yet to JHF 117 but I am willing to try. Is there an SK or any documentation about it?<BR /><BR />Whitelisting all MS domains is tedious. They have 20 different domains for each service they offer.Mon, 11 Nov 2019 08:52:54 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67043#M867Shahar_Grober2019-11-11T08:52:54ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67128#M869
There's not much on it other than what's said in the R80.30 release notes.<BR />Basically it enhances the certificate matching used for "light" inspection to also include support for SNI.Mon, 11 Nov 2019 22:22:56 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67128#M869PhoneBoy2019-11-11T22:22:56ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67946#M916
<P>PhoneBoy hinted towards it but the reality needs a stronger statement (IMHO): upgrade to R80.30 - it properly fixes this!</P><P>I have O365 on various sites and it's been pretty much impossible to do anything with an expectation of 100% success other than a complex exclusion from HTTPS inspection using the Microsoft IP subnet based destinations as a HUGE group of networks which we update weekly from the published Microsoft list of O365 subnets just like you have had to do.</P><P><FONT size="6" color="#FF0000"><STRONG>....until R80.30!</STRONG></FONT></P><P>The SNI and other really effective changes Check Point have made from R80.20 to R80.30 in HTTPS inspection make it a genuinely realistic option...make sure you're sitting down here...to do HTTPS inspection on Office 365 traffic!</P><P>The&nbsp;<SPAN><EM><STRONG>enhanced_ssl_inspection</STRONG> </EM>parameter is now (at r80.30 level)&nbsp; completely irrelevant and ignored by the kernel.</SPAN></P><P>For example, I support a site with HTTPS fully enabled, we're rolling out O365 and all I have done is allow the Application Microsoft &amp; Office365 Services for all users. I have tested quite thoroughly for all of the main applications and everything works, with the exception of file transfer within a Teams chat (which never used to be able to work in Skype with HTTPS inspection either - I'm guessing it's a similar issue) but most corporates are not at all bothered that this particular backdoor is closed, albeit accidentally.</P><P>I have a major issue with the ability to access <U><STRONG>personal</STRONG></U> outlook.com and I'll be posting separately about that but for your needs, once upgraded to R80.30 you can drop loads of HTTPS inspection overrides and expect success! Do expect to have to keep HTTPS inspection overrides for Dropbox and Box (there's a full list in usercenter) which use sticky certificates and craplicaitons by such companies as Fedex and DHL which just break if you look at them in the wrong way.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P>Wed, 20 Nov 2019 23:50:01 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67946#M916John_Fenoughty2019-11-20T23:50:01ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67982#M919
In our HTTPS Inspection Best Practices sessions we've done in local user groups, we make exactly this point. <span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span>Thu, 21 Nov 2019 10:06:17 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/67982#M919PhoneBoy2019-11-21T10:06:17ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68240#M928
This is really good news as I hate MS / O365 network requirements - pls don't proxy us, pls don't intercept, but do filter on URLs with wildcards... Worst security setup everSat, 23 Nov 2019 22:44:52 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68240#M928Kaspars_Zibarts2019-11-23T22:44:52ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68408#M958
<P>Hi john</P><P>&nbsp;</P><P>regarding your implementation,&nbsp; &nbsp;is the picture below, similar to what you implemented?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="365bypass.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/3305iD0286BEF546EF8CD/image-size/large?v=1.0&amp;px=999" title="365bypass.PNG" alt="365bypass.PNG" /></span></P>Mon, 25 Nov 2019 15:16:04 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68408#M958Steve_Payne12019-11-25T15:16:04ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68422#M960
Good info put here John!<BR /><BR />It is sufficient reason upgrade to R80.30<BR /><BR />I wish there was an SK with all services which have issues with HTTPS inspection. I guess it is impossible to test all but at least put a list of high usage apps like box/dropbox/O365 that can break using HTTPS inspection and how to bypass themMon, 25 Nov 2019 16:30:50 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68422#M960Shahar_Grober2019-11-25T16:30:50ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68432#M961
<P>We have such an SK:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112214" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112214</A></P>Mon, 25 Nov 2019 17:11:45 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68432#M961PhoneBoy2019-11-25T17:11:45ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68909#M1034
good stuff.<BR />So if I get it correctly, HTTPS Inspection bypass is working on R80.30 with the pre-defined apps mentioned in the SK?<BR />and on R80.20 and lower versions, I have to create a custom app with domain names to do the HTTPS Inspection Bypass?Sat, 30 Nov 2019 09:54:15 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68909#M1034Shahar_Grober2019-11-30T09:54:15ZRe: O365 + HTTPS Inspection + Bypasshttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68913#M1037
<P><LI-USER uid="10232"></LI-USER>&nbsp;</P><P>Hope you are doing fine. Would you mind pointing which SKs do you used to do proper overrides on applications? Do you use the bypass action?</P><P>There are some applications that i still have issues with even in R80.30, the only way to make them work is probe bypass but... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I think that the real killer will be the granular HTTPS inspection policy on R80.40</P>Sat, 30 Nov 2019 14:58:31 GMThttps://community.checkpoint.com/t5/Access-Control-Products/O365-HTTPS-Inspection-Bypass/m-p/68913#M1037FedericoMeiners2019-11-30T14:58:31Z